Microsoft gets Agile with its Security Dev Lifecycle
Microsoft is rethinking how to do security in an Agile (as in Agile development) world.
They have now issued new guidance for the Security Development Lifecycle (SDL) process that outlines how Microsoft thinks about and implements secure coding practices.
The new document, officially carries the version number 4.1a and is a 130 page behemoth that is hardly light reading. Of its 130 page heft, pages 45 to 53 are the news ones on Agile (no it's not much, but it might be enough).
"There is a perception today that Agile methods do not create secure code, and, on further analysis, the perception is reality," the new Microsoft guidelines state. "There is very little "secure Agile" expertise available in the market today. This needs to change."
I would be the last person to state that Agile leads to insecure code, though I can see where the idea comes from.